- From: Firstyear via GitHub <sysbot+gh@w3.org>
- Date: Mon, 31 Jul 2023 01:08:36 +0000
- To: public-webauthn@w3.org
> > ...The idea is future capabilities checks get added as enums to this, and maybe there are convenience methods added too that make an appropriate call to this method behind the scenes. > > I don't see `getCC()` replacing methods like `isPPAA()`. Rather I see there being value in a method `isPPAA()` essentially calling `getCC(['uvpaa', 'hybrid'])` behind the scenes. There's a developer usability win in having "convenience methods" like `isPPAA()` to make it easier to use (and provide guidance on using a la https://passkeys.dev) WebAuthn, while still enabling RP's with more advanced use cases to drop down a level and call `getCC()` directly. I am worried we are getting into "too complex" territory. It's always the case that with standards like webauth, oauth2, oidc, ldap, or anything else, that while the standard may support 100 different options, what evolves is a small subset that is actually used day to day by implementors. For example, LDAP spans many rfc's with complex search options and extensions, and in reality most people just use search and bind. I'm worried we are heading down this path - most RP's will never use 90% of what is being created here like getCC or isPPAA because these features end up causing UI/UX issues rather than solving them. For example, isUVPAA() exists and is now being forgotten by the wayside because we keep chasing these micro UI/UX tweaks that no one seems to need. isPPAA is probably going to end up the same, as RP's realise that security keys like yubikeys exist and they can't just force users to use their phones with extremely slow and awkward cable workflows (did you know in latency it takes ~15 seconds to use phone for cable in AU? And this doesn't even include all the time to get the camera open and dive through all the choose your own adventure menus chrome gives you) . Even getCC querying for hybrid begs a lot of questions to what you are trying to achieve since the browser itself is already going to offer cable as an option without you needing to tweak anything. I don't think many rp's really even need this capability, since the *user* should be the one choosing what they want. I think you need to expand on what you are trying to actually achieve here and how that works for the positive and inverse cases, because currently this seems like an internal MS detail or plan leaking into the specification rather than a change that I can broadly see RP's embracing. -- GitHub Notification of comment by Firstyear Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1923#issuecomment-1657347476 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 31 July 2023 01:08:38 UTC